Introduction and meaning of the right to erasure:
The right to erasure, also known as the right to be forgotten, allows users to request the erasure of their personal data when certain conditions are met. Websites must implement procedures that allow users to exercise this right easily and effectively. Here are the requirements explained in detail:
Request for erasure (Article 17 GDPR):
- Request: Users must have the opportunity to request erasure of their personal data. This can be done through an online form, email or other easily accessible methods.
- Verification of identity: Websites must ensure that the requester is indeed the data subject. This can be done through appropriate verification procedures to prevent unauthorized deletion requests.
Legitimate reasons for deletion (Article 17 GDPR):
- Reasons for deletion: Users can request the deletion of their data if one of the following reasons applies:
- The data is no longer necessary for the purposes for which it was collected or processed.
- The data subject withdraws his or her consent and there is no other legal basis for the processing.
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
- The data was processed unlawfully.
- The deletion is necessary to fulfill a legal obligation.
Implementation of deletion (Article 19 GDPR):
- Immediate deletion: Upon receipt of a legitimate deletion request, the website must delete the personal data immediately. This also includes the deletion of data from backup systems, if technically possible.
- Notification of third parties: If the personal data have been made public or disclosed to third parties, the controller must take reasonable steps to inform those third parties of the erasure request and request that they also delete all copies of that data.
Documentation and proof (Article 30 GDPR):
- Register of processing activities : Controllers must keep a register of processing activities, including the erasure of personal data. This register should contain information on the purposes of the processing, the categories of data subjects and the personal data, as well as the recipients of the data.
Relevant articles of the GDPR:
- Article 17: Right to erasure (right to be forgotten)
- Article 19: Obligation to notify in relation to the rectification or erasure of personal data or the restriction of processing
- Article 30: List of processing activities
Examples of compliance with the requirements:
- Online deletion request form: A social network provides an online form through which users can request deletion of their account and data. After identity verification, the deletion request is processed and the data is deleted from all systems.
- Deletion upon request via email: An e-commerce company allows users to request deletion of their data via email. The request is reviewed and users receive a confirmation once the data has been deleted.
Summary:
Websites must implement procedures that allow users to request the deletion of their personal data easily and effectively. This includes providing easily accessible methods to submit requests, verifying the identity of requesters, processing legitimate deletion requests, and documenting the deletion. Adhering to these requirements will strengthen user privacy protections and ensure compliance with the GDPR.
